[Oisf-users] Fwd: Async_oneside flag.
Rodolfo Etore
rponteado at gmail.com
Wed Jun 4 13:15:21 UTC 2014
Sorry thats my bad,
Basically these two
c99 rules
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo";
flow:to_server,established; content:"act=phpinfo"; fast_pattern;
http_uri; metadata:policy security-ips drop, service http;
reference:url,vil.nai.com/vil/content/v_136948.htm;
classtype:policy-violation; sid:16628; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE c99shell.php command request - ls";
flow:to_server,established; content:"act=ls"; fast_pattern:only;
http_client_body; metadata:service http;
reference:url,vil.nai.com/vil/content/v_136948.htm;
classtype:policy-violation; sid:22931; rev:4;)
2014-06-04 5:00 GMT-03:00 Victor Julien <lists at inliniac.net>:
> On 06/03/2014 10:54 PM, Rodolfo Etore wrote:
>> I have here a "problem" with asynchronous link, o read about this
>> feature on the configuration file:
>>
>>
>> async_oneside
>>
>> I've turned it on and tried to get match on data with just one side of
>> the conversion like showed in the PCAP, but not hits at all
>>
>> Is there anything i am doing wrong?, did i misunderstand this feature?
>>
>
> Can you share how you are trying to match? What kind of rule?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Muito obrigado desde já
More information about the Oisf-users
mailing list